@kernlang/review 3.3.8 → 3.3.9

package/dist/cache.js

@@ -3,7 +3,7 @@ import { existsSync, mkdirSync, readdirSync, readFileSync, rmSync, writeFileSync
 import { homedir } from 'os';
 import { dirname, join, resolve } from 'path';
 // Version stamp for cache invalidation — changes when rules/analyzers change
-const REVIEW_CACHE_VERSION = '3.2.3-review-cache-3';
+const REVIEW_CACHE_VERSION = '3.3.9-review-cache-1';
 const IMPORT_SPECIFIER_RE = /(?:import|export)\s+(?:[^'"`]*?\s+from\s+)?['"]([^'"]+)['"]|import\(\s*['"]([^'"]+)['"]\s*\)/g;
 const EXTENSION_FALLBACK = {
     '.js': ['.ts', '.tsx', '.mts', '.cts'],

package/dist/concept-rules/auth-propagation-drift.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Rule: auth-propagation-drift
+ *
+ * Cross-stack rule — complements `auth-drift` by catching non-raw-fetch API
+ * clients (axios/got/ky-style direct calls) that call an authenticated server
+ * route without visible auth/session propagation.
+ */
+import type { ReviewFinding } from '../types.js';
+import type { ConceptRuleContext } from './index.js';
+export declare function authPropagationDrift(ctx: ConceptRuleContext): ReviewFinding[];

package/dist/concept-rules/auth-propagation-drift.js

@@ -0,0 +1,83 @@
+/**
+ * Rule: auth-propagation-drift
+ *
+ * Cross-stack rule — complements `auth-drift` by catching non-raw-fetch API
+ * clients (axios/got/ky-style direct calls) that call an authenticated server
+ * route without visible auth/session propagation.
+ */
+import { createFingerprint } from '../types.js';
+import { CROSS_STACK_EXACT_CONFIDENCE, collectRoutesAcrossGraph, findHighConfidenceRouteForMethod, findMatchingRouteForMethod, normalizeClientUrl, } from './cross-stack-utils.js';
+export function authPropagationDrift(ctx) {
+    if (!ctx.allConcepts || ctx.allConcepts.size === 0)
+        return [];
+    const serverRoutes = collectRoutesAcrossGraph(ctx.allConcepts);
+    if (serverRoutes.length === 0)
+        return [];
+    const authGuardContainers = collectAuthGuardContainers(ctx.allConcepts);
+    if (authGuardContainers.size === 0)
+        return [];
+    const findings = [];
+    const localConcepts = ctx.allConcepts.get(ctx.filePath) ?? ctx.concepts;
+    for (const node of localConcepts.nodes) {
+        if (node.kind !== 'effect' || node.payload.kind !== 'effect' || node.payload.subtype !== 'network')
+            continue;
+        if (node.payload.authPropagation !== 'absent')
+            continue;
+        // `auth-drift` owns the raw fetch/no Authorization case for backward
+        // compatibility with the existing rule ID. This rule covers richer clients.
+        if (node.payload.hasAuthHeader === false)
+            continue;
+        const target = node.payload.target;
+        if (typeof target !== 'string')
+            continue;
+        const normalized = normalizeClientUrl(target);
+        if (!normalized)
+            continue;
+        const route = ctx.crossStackMode === 'audit'
+            ? findMatchingRouteForMethod(normalized, node.payload.method, serverRoutes)
+            : findHighConfidenceRouteForMethod(normalized, node.payload.method, serverRoutes);
+        if (!route?.node)
+            continue;
+        const fileGuards = authGuardContainers.get(route.node.primarySpan.file);
+        if (!fileGuards)
+            continue;
+        const routeContainer = route.node.containerId;
+        const guardedByContainer = routeContainer !== undefined && fileGuards.routeContainers.has(routeContainer);
+        const guardedBySingleRouteFile = fileGuards.totalRoutesInFile === 1;
+        if (!guardedByContainer && !guardedBySingleRouteFile)
+            continue;
+        findings.push({
+            source: 'kern',
+            ruleId: 'auth-propagation-drift',
+            severity: 'warning',
+            category: 'bug',
+            message: `Client calls authenticated route \`${target}\` without visible auth/session propagation. Add an Authorization/Cookie/session credential path or route this call through an authenticated client wrapper.`,
+            primarySpan: node.primarySpan,
+            relatedSpans: [route.node.primarySpan],
+            fingerprint: createFingerprint('auth-propagation-drift', node.primarySpan.startLine, node.primarySpan.startCol),
+            confidence: node.confidence * CROSS_STACK_EXACT_CONFIDENCE,
+        });
+    }
+    return findings;
+}
+function collectAuthGuardContainers(allConcepts) {
+    const result = new Map();
+    for (const [filePath, map] of allConcepts) {
+        const routeContainers = new Set();
+        let routeCount = 0;
+        for (const node of map.nodes) {
+            if (node.kind === 'entrypoint' && node.payload.kind === 'entrypoint' && node.payload.subtype === 'route') {
+                routeCount++;
+                continue;
+            }
+            if (node.kind !== 'guard' || node.payload.kind !== 'guard' || node.payload.subtype !== 'auth')
+                continue;
+            if (node.containerId !== undefined)
+                routeContainers.add(node.containerId);
+        }
+        if (routeContainers.size > 0)
+            result.set(filePath, { routeContainers, totalRoutesInFile: routeCount });
+    }
+    return result;
+}
+//# sourceMappingURL=auth-propagation-drift.js.map

package/dist/concept-rules/auth-propagation-drift.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-propagation-drift.js","sourceRoot":"","sources":["../../src/concept-rules/auth-propagation-drift.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EACL,4BAA4B,EAC5B,wBAAwB,EACxB,gCAAgC,EAChC,0BAA0B,EAC1B,kBAAkB,GACnB,MAAM,wBAAwB,CAAC;AAGhC,MAAM,UAAU,oBAAoB,CAAC,GAAuB;IAC1D,IAAI,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9D,MAAM,YAAY,GAAG,wBAAwB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC/D,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEzC,MAAM,mBAAmB,GAAG,0BAA0B,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACxE,IAAI,mBAAmB,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9C,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,aAAa,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC;IAExE,KAAK,MAAM,IAAI,IAAI,aAAa,CAAC,KAAK,EAAE,CAAC;QACvC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,SAAS;YAAE,SAAS;QAC7G,IAAI,IAAI,CAAC,OAAO,CAAC,eAAe,KAAK,QAAQ;YAAE,SAAS;QACxD,qEAAqE;QACrE,4EAA4E;QAC5E,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa,KAAK,KAAK;YAAE,SAAS;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,SAAS;QACzC,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC9C,IAAI,CAAC,UAAU;YAAE,SAAS;QAE1B,MAAM,KAAK,GACT,GAAG,CAAC,cAAc,KAAK,OAAO;YAC5B,CAAC,CAAC,0BAA0B,CAAC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,YAAY,CAAC;YAC3E,CAAC,CAAC,gCAAgC,CAAC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QACtF,IAAI,CAAC,KAAK,EAAE,IAAI;YAAE,SAAS;QAC3B,MAAM,UAAU,GAAG,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QACxE,IAAI,CAAC,UAAU;YAAE,SAAS;QAE1B,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;QAC9C,MAAM,kBAAkB,GAAG,cAAc,KAAK,SAAS,IAAI,UAAU,CAAC,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC1G,MAAM,wBAAwB,GAAG,UAAU,CAAC,iBAAiB,KAAK,CAAC,CAAC;QACpE,IAAI,CAAC,kBAAkB,IAAI,CAAC,wBAAwB;YAAE,SAAS;QAE/D,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,wBAAwB;YAChC,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,sCAAsC,MAAM,8JAA8J;YACnN,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,YAAY,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;YACtC,WAAW,EAAE,iBAAiB,CAAC,wBAAwB,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC;YAC/G,UAAU,EAAE,IAAI,CAAC,UAAU,GAAG,4BAA4B;SAC3D,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAOD,SAAS,0BAA0B,CAAC,WAA4C;IAC9E,MAAM,MAAM,GAAG,IAAI,GAAG,EAAwB,CAAC;IAC/C,KAAK,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAI,WAAW,EAAE,CAAC;QAC1C,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAC1C,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBACzG,UAAU,EAAE,CAAC;gBACb,SAAS;YACX,CAAC;YACD,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,MAAM;gBAAE,SAAS;YACxG,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS;gBAAE,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC5E,CAAC;QACD,IAAI,eAAe,CAAC,IAAI,GAAG,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,CAAC,CAAC;IACzG,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/concept-rules/body-shape-drift.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Rule: body-shape-drift
+ *
+ * Cross-stack rule — fires when a client `fetch(url, { body: JSON.stringify({ … }) })`
+ * omits one or more fields that the matching server handler reads off
+ * `req.body` (Express inline handler). Classic LLM-authored drift:
+ *
+ *   client:   fetch('/api/users', { body: JSON.stringify({ name }) })
+ *   server:   app.post('/api/users', (req, res) => {
+ *               const { name, email } = req.body;   // ← email never sent
+ *               ...
+ *             });
+ *
+ * V1 is deliberately narrow per the red-team consensus on the body-shape
+ * plan:
+ *   - Express only (no Pydantic/FastAPI cross-file model resolution).
+ *   - Raw `fetch` only on the client (no axios/ky/got/wrapper clients).
+ *   - Inline handlers only (imported-identifier handlers stay silent).
+ *   - Missing-fields direction only (client omits what server needs). The
+ *     "extra" direction (client sends what server ignores) conflicts with
+ *     legitimate pass-through handlers and is deferred.
+ *   - Fires only when BOTH `sentFieldsResolved` and `bodyFieldsResolved`
+ *     are true. Opaque bodies, wrapper clients, whole-body forwarding all
+ *     stay silent by design — false negatives are the price of zero
+ *     false positives.
+ *
+ * Requires graph mode: the client call and server route live in different
+ * files by definition. Single-file review returns no findings.
+ */
+import type { ReviewFinding } from '../types.js';
+import type { ConceptRuleContext } from './index.js';
+export declare function bodyShapeDrift(ctx: ConceptRuleContext): ReviewFinding[];

package/dist/concept-rules/body-shape-drift.js

@@ -0,0 +1,96 @@
+/**
+ * Rule: body-shape-drift
+ *
+ * Cross-stack rule — fires when a client `fetch(url, { body: JSON.stringify({ … }) })`
+ * omits one or more fields that the matching server handler reads off
+ * `req.body` (Express inline handler). Classic LLM-authored drift:
+ *
+ *   client:   fetch('/api/users', { body: JSON.stringify({ name }) })
+ *   server:   app.post('/api/users', (req, res) => {
+ *               const { name, email } = req.body;   // ← email never sent
+ *               ...
+ *             });
+ *
+ * V1 is deliberately narrow per the red-team consensus on the body-shape
+ * plan:
+ *   - Express only (no Pydantic/FastAPI cross-file model resolution).
+ *   - Raw `fetch` only on the client (no axios/ky/got/wrapper clients).
+ *   - Inline handlers only (imported-identifier handlers stay silent).
+ *   - Missing-fields direction only (client omits what server needs). The
+ *     "extra" direction (client sends what server ignores) conflicts with
+ *     legitimate pass-through handlers and is deferred.
+ *   - Fires only when BOTH `sentFieldsResolved` and `bodyFieldsResolved`
+ *     are true. Opaque bodies, wrapper clients, whole-body forwarding all
+ *     stay silent by design — false negatives are the price of zero
+ *     false positives.
+ *
+ * Requires graph mode: the client call and server route live in different
+ * files by definition. Single-file review returns no findings.
+ */
+import { createFingerprint } from '../types.js';
+import { API_PATH_RE, CROSS_STACK_HEURISTIC_CONFIDENCE, collectRoutesAcrossGraph, findMatchingRoute, normalizeClientUrl, } from './cross-stack-utils.js';
+export function bodyShapeDrift(ctx) {
+    if (!ctx.allConcepts || ctx.allConcepts.size === 0)
+        return [];
+    const serverRoutes = collectRoutesAcrossGraph(ctx.allConcepts);
+    if (serverRoutes.length === 0)
+        return [];
+    const clientCalls = [];
+    for (const [, conceptMap] of ctx.allConcepts) {
+        for (const node of conceptMap.nodes) {
+            if (node.kind !== 'effect' || node.payload.kind !== 'effect' || node.payload.subtype !== 'network')
+                continue;
+            if (node.payload.sentFieldsResolved !== true)
+                continue;
+            const fields = node.payload.sentFields;
+            if (!fields)
+                continue;
+            const target = node.payload.target;
+            if (typeof target !== 'string')
+                continue;
+            const normalized = normalizeClientUrl(target);
+            if (!normalized || !API_PATH_RE.test(normalized))
+                continue;
+            clientCalls.push({ target, normalizedPath: normalized, sentFields: fields, node });
+        }
+    }
+    if (clientCalls.length === 0)
+        return [];
+    const findings = [];
+    const seen = new Set();
+    for (const call of clientCalls) {
+        if (call.node.primarySpan.file !== ctx.filePath)
+            continue;
+        const route = findMatchingRoute(call.normalizedPath, serverRoutes);
+        if (!route || !route.node)
+            continue;
+        if (route.node.payload.kind !== 'entrypoint')
+            continue;
+        if (route.node.payload.bodyFieldsResolved !== true)
+            continue;
+        const serverFields = route.node.payload.bodyFields;
+        if (!serverFields || serverFields.length === 0)
+            continue;
+        const missing = serverFields.filter((f) => !call.sentFields.includes(f));
+        if (missing.length === 0)
+            continue;
+        const fingerprint = createFingerprint('body-shape-drift', call.node.primarySpan.startLine, call.node.primarySpan.startCol);
+        if (seen.has(fingerprint))
+            continue;
+        seen.add(fingerprint);
+        const missingList = missing.map((f) => `\`${f}\``).join(', ');
+        const plural = missing.length === 1 ? 'field' : 'fields';
+        findings.push({
+            source: 'kern',
+            ruleId: 'body-shape-drift',
+            severity: 'warning',
+            category: 'bug',
+            message: `Frontend POSTs to \`${call.normalizedPath}\` without ${plural} ${missingList}, but the matching server handler reads ${missing.length === 1 ? 'it' : 'them'} off \`req.body\`. The handler will see \`undefined\` for the missing ${plural}.`,
+            primarySpan: call.node.primarySpan,
+            fingerprint,
+            confidence: call.node.confidence * CROSS_STACK_HEURISTIC_CONFIDENCE,
+        });
+    }
+    return findings;
+}
+//# sourceMappingURL=body-shape-drift.js.map

package/dist/concept-rules/body-shape-drift.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"body-shape-drift.js","sourceRoot":"","sources":["../../src/concept-rules/body-shape-drift.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EACL,WAAW,EACX,gCAAgC,EAChC,wBAAwB,EACxB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,wBAAwB,CAAC;AAUhC,MAAM,UAAU,cAAc,CAAC,GAAuB;IACpD,IAAI,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAE9D,MAAM,YAAY,GAAG,wBAAwB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC/D,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEzC,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,KAAK,MAAM,CAAC,EAAE,UAAU,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QAC7C,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,SAAS;gBAAE,SAAS;YAC7G,IAAI,IAAI,CAAC,OAAO,CAAC,kBAAkB,KAAK,IAAI;gBAAE,SAAS;YACvD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;YACvC,IAAI,CAAC,MAAM;gBAAE,SAAS;YACtB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;YACnC,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,SAAS;YACzC,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;YAC9C,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC;gBAAE,SAAS;YAC3D,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAExC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,KAAK,GAAG,CAAC,QAAQ;YAAE,SAAS;QAE1D,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;QACnE,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,IAAI;YAAE,SAAS;QACpC,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;YAAE,SAAS;QACvD,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,KAAK,IAAI;YAAE,SAAS;QAC7D,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;QACnD,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEzD,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEnC,MAAM,WAAW,GAAG,iBAAiB,CACnC,kBAAkB,EAClB,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,EAC/B,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAC/B,CAAC;QACF,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;YAAE,SAAS;QACpC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAEtB,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;QACzD,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,uBAAuB,IAAI,CAAC,cAAc,cAAc,MAAM,IAAI,WAAW,2CAA2C,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,yEAAyE,MAAM,GAAG;YACvP,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;YAClC,WAAW;YACX,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,gCAAgC;SACpE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/concept-rules/cross-stack-utils.d.ts

@@ -84,6 +84,17 @@ export declare function normalizeClientUrl(raw: string): string | undefined;
  * behaviour).
  */
 export declare function findMatchingRoute(clientPath: string, routes: readonly ServerRoute[]): ServerRoute | undefined;
+export declare function findMatchingRouteForMethod(clientPath: string, clientMethod: string | undefined, routes: readonly ServerRoute[]): ServerRoute | undefined;
+/**
+ * Noise-gated route match for newer cross-stack rules.
+ *
+ * The older matcher intentionally returns the first path-shaped match so
+ * legacy rules retain broad coverage. Newer rules that can feel speculative
+ * should use this helper instead: it requires a known client method, exactly
+ * one matching server route for that method, a concrete internal API path, and
+ * no catch-all/wildcard route shapes.
+ */
+export declare function findHighConfidenceRouteForMethod(clientPath: string, clientMethod: string | undefined, routes: readonly ServerRoute[]): ServerRoute | undefined;
 /** Boolean-returning thin wrapper preserved for callers that just need a yes/no. */
 export declare function hasMatchingRoute(clientPath: string, routes: readonly ServerRoute[]): boolean;
 /**
@@ -94,3 +105,16 @@ export declare function hasMatchingRoute(clientPath: string, routes: readonly Se
  * no one calls it" (method-drift / orphan-route territory).
  */
 export declare function findRoutesAtPath(clientPath: string, routes: readonly ServerRoute[]): ServerRoute[];
+export declare function routeMethodMatches(routeMethod: string | undefined, clientMethod: string): boolean;
+/**
+ * Resolve an inline Express handler's concept from a route node. Only
+ * meaningful for `route` entrypoints whose mapper set `handlerConceptId`
+ * (inline arrow/function handlers — not imported identifiers). Returns
+ * undefined when the route has no inline handler or the expected concept
+ * is absent from the map (e.g., stripped during serialisation).
+ *
+ * Rules that reason about handler body contents — body-shape drift, auth
+ * checks, response envelope detection — use this as the single lookup
+ * point so callers don't re-implement span-or-id matching in each rule.
+ */
+export declare function findHandlerConcept(map: ConceptMap, route: ConceptNode): ConceptNode | undefined;

package/dist/concept-rules/cross-stack-utils.js

@@ -197,25 +197,52 @@ export function normalizeClientUrl(raw) {
 export function findMatchingRoute(clientPath, routes) {
     const clientSegments = trimTrailing(clientPath).split('/');
     for (const route of routes) {
-        const routeSegments = trimTrailing(route.path).split('/');
-        if (routeSegments.length !== clientSegments.length)
+        if (routePathMatchesSegments(route.path, clientSegments))
+            return route;
+    }
+    return undefined;
+}
+export function findMatchingRouteForMethod(clientPath, clientMethod, routes) {
+    const clientSegments = trimTrailing(clientPath).split('/');
+    for (const route of routes) {
+        if (!routePathMatchesSegments(route.path, clientSegments))
             continue;
-        let matched = true;
-        for (let i = 0; i < routeSegments.length; i++) {
-            const rs = routeSegments[i];
-            const cs = clientSegments[i];
-            if (isParamSegment(rs))
-                continue;
-            if (rs !== cs) {
-                matched = false;
-                break;
-            }
-        }
-        if (matched)
+        if (!clientMethod || routeMethodMatches(route.method, clientMethod))
             return route;
     }
     return undefined;
 }
+/**
+ * Noise-gated route match for newer cross-stack rules.
+ *
+ * The older matcher intentionally returns the first path-shaped match so
+ * legacy rules retain broad coverage. Newer rules that can feel speculative
+ * should use this helper instead: it requires a known client method, exactly
+ * one matching server route for that method, a concrete internal API path, and
+ * no catch-all/wildcard route shapes.
+ */
+export function findHighConfidenceRouteForMethod(clientPath, clientMethod, routes) {
+    if (!isHighConfidenceClientPath(clientPath))
+        return undefined;
+    if (!clientMethod)
+        return undefined;
+    const matches = findRoutesAtPath(clientPath, routes).filter((route) => {
+        if (!route.node)
+            return false;
+        if (route.node.confidence < 0.75)
+            return false;
+        if (!route.method)
+            return false;
+        if (WILDCARD_METHODS.has(route.method.toUpperCase()))
+            return false;
+        if (!routeMethodMatches(route.method, clientMethod))
+            return false;
+        if (!isHighConfidenceServerPath(route.path))
+            return false;
+        return true;
+    });
+    return matches.length === 1 ? matches[0] : undefined;
+}
 /** Boolean-returning thin wrapper preserved for callers that just need a yes/no. */
 export function hasMatchingRoute(clientPath, routes) {
     return findMatchingRoute(clientPath, routes) !== undefined;
@@ -231,21 +258,7 @@ export function findRoutesAtPath(clientPath, routes) {
     const clientSegments = trimTrailing(clientPath).split('/');
     const matches = [];
     for (const route of routes) {
-        const routeSegments = trimTrailing(route.path).split('/');
-        if (routeSegments.length !== clientSegments.length)
-            continue;
-        let matched = true;
-        for (let i = 0; i < routeSegments.length; i++) {
-            const rs = routeSegments[i];
-            const cs = clientSegments[i];
-            if (isParamSegment(rs))
-                continue;
-            if (rs !== cs) {
-                matched = false;
-                break;
-            }
-        }
-        if (matched)
+        if (routePathMatchesSegments(route.path, clientSegments))
             matches.push(route);
     }
     return matches;
@@ -253,6 +266,87 @@ export function findRoutesAtPath(clientPath, routes) {
 function trimTrailing(path) {
     return path.length > 1 && path.endsWith('/') ? path.slice(0, -1) : path;
 }
+function routePathMatchesSegments(routePath, clientSegments) {
+    const routeSegments = trimTrailing(routePath).split('/');
+    if (routeSegments.length !== clientSegments.length)
+        return false;
+    for (let i = 0; i < routeSegments.length; i++) {
+        const rs = routeSegments[i];
+        const cs = clientSegments[i];
+        if (isParamSegment(rs))
+            continue;
+        if (rs !== cs)
+            return false;
+    }
+    return true;
+}
+function isHighConfidenceClientPath(path) {
+    if (!API_PATH_RE.test(path))
+        return false;
+    if (hasCatchAllOrWildcardSegment(path))
+        return false;
+    const segments = trimTrailing(path).split('/').filter(Boolean);
+    return segments.every((segment) => {
+        if (!segment.includes('${'))
+            return true;
+        return /^\$\{[A-Za-z_$][\w$]*(?:\.[A-Za-z_$][\w$]*)?\}$/.test(segment);
+    });
+}
+function isHighConfidenceServerPath(path) {
+    if (!API_PATH_RE.test(path))
+        return false;
+    return !hasCatchAllOrWildcardSegment(path);
+}
+function hasCatchAllOrWildcardSegment(path) {
+    return trimTrailing(path)
+        .split('/')
+        .some((segment) => {
+        if (!segment)
+            return false;
+        if (segment === '*' || segment.includes('...'))
+            return true;
+        if (segment.startsWith('*'))
+            return true;
+        if (/^\{[^}:]+:path\}$/.test(segment))
+            return true;
+        return false;
+    });
+}
+// Verbs emitted by route declarations that intentionally accept any method.
+const WILDCARD_METHODS = new Set(['ALL', 'ANY']);
+export function routeMethodMatches(routeMethod, clientMethod) {
+    if (!routeMethod)
+        return true;
+    const r = routeMethod.toUpperCase();
+    if (WILDCARD_METHODS.has(r))
+        return true;
+    const c = clientMethod.toUpperCase();
+    if (r === c)
+        return true;
+    // Express and Starlette/FastAPI both auto-respond to HEAD on GET routes.
+    if (c === 'HEAD' && r === 'GET')
+        return true;
+    return false;
+}
+/**
+ * Resolve an inline Express handler's concept from a route node. Only
+ * meaningful for `route` entrypoints whose mapper set `handlerConceptId`
+ * (inline arrow/function handlers — not imported identifiers). Returns
+ * undefined when the route has no inline handler or the expected concept
+ * is absent from the map (e.g., stripped during serialisation).
+ *
+ * Rules that reason about handler body contents — body-shape drift, auth
+ * checks, response envelope detection — use this as the single lookup
+ * point so callers don't re-implement span-or-id matching in each rule.
+ */
+export function findHandlerConcept(map, route) {
+    if (route.kind !== 'entrypoint' || route.payload.kind !== 'entrypoint')
+        return undefined;
+    const handlerId = route.payload.handlerConceptId;
+    if (!handlerId)
+        return undefined;
+    return map.nodes.find((n) => n.id === handlerId);
+}
 function isParamSegment(seg) {
     return seg.startsWith(':') || (seg.startsWith('{') && seg.endsWith('}'));
 }

package/dist/concept-rules/cross-stack-utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"cross-stack-utils.js","sourceRoot":"","sources":["../../src/concept-rules/cross-stack-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG,GAAG,CAAC;AAEpD;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,GAAG,CAAC;AAEhD,kEAAkE;AAClE,MAAM,CAAC,MAAM,WAAW,GAAG,UAAU,CAAC;AAStC,MAAM,UAAU,kBAAkB,CAAC,GAAe;IAChD,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;QAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;YAAE,OAAO,KAAK,CAAC;QACnF,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kCAAkC,CAAC,IAAiB,EAAE,GAAgB;IACpF,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,KAAK,CAAC;IACnF,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IACnD,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,aAAa,CAAC,GAAe,EAAE,MAAqB;IAClE,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;YAAE,SAAS;QACnH,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;QAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAChE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAA4C;IACnF,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,oEAAoE;IACpE,MAAM,cAAc,GAAG,IAAI,GAAG,EAAoB,CAAC;IACnD,MAAM,cAAc,GAAG,IAAI,GAAG,EAAwD,CAAC;IACvF,KAAK,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,WAAW,EAAE,CAAC;QAC3C,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAC/E,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,aAAa;gBAAE,SAAS;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YACjC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;YAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC;YAC/C,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;gBACpD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAClB,cAAc,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;gBAClD,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;gBACjC,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,WAAW,EAAE,CAAC;QAC3C,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAC/E,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;gBAAE,SAAS;YAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEhE,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;YACtG,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACzD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CACzB,SAAiB,EACjB,UAA8B,EAC9B,cAA6C,EAC7C,cAAiF;IAEjF,6EAA6E;IAC7E,+EAA+E;IAC/E,kFAAkF;IAClF,6EAA6E;IAC7E,yEAAyE;IACzE,KAAK,MAAM,CAAC,YAAY,EAAE,QAAQ,CAAC,IAAI,cAAc,EAAE,CAAC;QACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACpC,MAAM,OAAO,GAAG,6BAA6B,CAAC,IAAI,CAAC,YAAY,CAAC;YAC9D,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC;QAC7C,IAAI,SAAS,KAAK,OAAO,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,OAAO,EAAE,CAAC;YAAE,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;IACrF,CAAC;IACD,iFAAiF;IACjF,uEAAuE;IACvE,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;YAChE,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAC,MAAM,CAAC;QACvC,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,SAAS,CAAC,MAAc,EAAE,IAAY;IAC7C,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAC1E,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC7D,IAAI,WAAW,KAAK,GAAG;QAAE,OAAO,aAAa,IAAI,GAAG,CAAC;IACrD,OAAO,GAAG,aAAa,GAAG,WAAW,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACrB,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IACnE,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAChC,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3D,GAAG,GAAG,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACpC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAkB,EAAE,MAA8B;IAClF,MAAM,cAAc,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1D,IAAI,aAAa,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;YAAE,SAAS;QAC7D,IAAI,OAAO,GAAG,IAAI,CAAC;QACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9C,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,cAAc,CAAC,EAAE,CAAC;gBAAE,SAAS;YACjC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACd,OAAO,GAAG,KAAK,CAAC;gBAChB,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,OAAO;YAAE,OAAO,KAAK,CAAC;IAC5B,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAA8B;IACjF,OAAO,iBAAiB,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,SAAS,CAAC;AAC7D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAA8B;IACjF,MAAM,cAAc,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAkB,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1D,IAAI,aAAa,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;YAAE,SAAS;QAC7D,IAAI,OAAO,GAAG,IAAI,CAAC;QACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9C,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YAC5B,MAAM,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,cAAc,CAAC,EAAE,CAAC;gBAAE,SAAS;YACjC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACd,OAAO,GAAG,KAAK,CAAC;gBAChB,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,OAAO;YAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1E,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3E,CAAC"}
+{"version":3,"file":"cross-stack-utils.js","sourceRoot":"","sources":["../../src/concept-rules/cross-stack-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG,GAAG,CAAC;AAEpD;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,GAAG,CAAC;AAEhD,kEAAkE;AAClE,MAAM,CAAC,MAAM,WAAW,GAAG,UAAU,CAAC;AAStC,MAAM,UAAU,kBAAkB,CAAC,GAAe;IAChD,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;QAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;YAAE,OAAO,KAAK,CAAC;QACnF,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kCAAkC,CAAC,IAAiB,EAAE,GAAgB;IACpF,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,KAAK,CAAC;IACnF,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IACnD,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,aAAa,CAAC,GAAe,EAAE,MAAqB;IAClE,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;YAAE,SAAS;QACnH,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;QAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAChE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAA4C;IACnF,MAAM,MAAM,GAAkB,EAAE,CAAC;IACjC,oEAAoE;IACpE,MAAM,cAAc,GAAG,IAAI,GAAG,EAAoB,CAAC;IACnD,MAAM,cAAc,GAAG,IAAI,GAAG,EAAwD,CAAC;IACvF,KAAK,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,WAAW,EAAE,CAAC;QAC3C,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAC/E,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,aAAa;gBAAE,SAAS;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YACjC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;YAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC;YAC/C,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;gBACpD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAClB,cAAc,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;gBAClD,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;gBACjC,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,IAAI,WAAW,EAAE,CAAC;QAC3C,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAC/E,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,OAAO;gBAAE,SAAS;YAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;YAC/B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEhE,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;YACtG,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACzD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CACzB,SAAiB,EACjB,UAA8B,EAC9B,cAA6C,EAC7C,cAAiF;IAEjF,6EAA6E;IAC7E,+EAA+E;IAC/E,kFAAkF;IAClF,6EAA6E;IAC7E,yEAAyE;IACzE,KAAK,MAAM,CAAC,YAAY,EAAE,QAAQ,CAAC,IAAI,cAAc,EAAE,CAAC;QACtD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACpC,MAAM,OAAO,GAAG,6BAA6B,CAAC,IAAI,CAAC,YAAY,CAAC;YAC9D,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC;QAC7C,IAAI,SAAS,KAAK,OAAO,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,OAAO,EAAE,CAAC;YAAE,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;IACrF,CAAC;IACD,iFAAiF;IACjF,uEAAuE;IACvE,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;YAChE,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAC,MAAM,CAAC;QACvC,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,SAAS,CAAC,MAAc,EAAE,IAAY;IAC7C,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAC1E,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC7D,IAAI,WAAW,KAAK,GAAG;QAAE,OAAO,aAAa,IAAI,GAAG,CAAC;IACrD,OAAO,GAAG,aAAa,GAAG,WAAW,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACrB,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IACnE,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAChC,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3D,GAAG,GAAG,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACpC,OAAO,GAAG,IAAI,SAAS,CAAC;AAC1B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAkB,EAAE,MAA8B;IAClF,MAAM,cAAc,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,wBAAwB,CAAC,KAAK,CAAC,IAAI,EAAE,cAAc,CAAC;YAAE,OAAO,KAAK,CAAC;IACzE,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,UAAkB,EAClB,YAAgC,EAChC,MAA8B;IAE9B,MAAM,cAAc,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,CAAC,wBAAwB,CAAC,KAAK,CAAC,IAAI,EAAE,cAAc,CAAC;YAAE,SAAS;QACpE,IAAI,CAAC,YAAY,IAAI,kBAAkB,CAAC,KAAK,CAAC,MAAM,EAAE,YAAY,CAAC;YAAE,OAAO,KAAK,CAAC;IACpF,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gCAAgC,CAC9C,UAAkB,EAClB,YAAgC,EAChC,MAA8B;IAE9B,IAAI,CAAC,0BAA0B,CAAC,UAAU,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9D,IAAI,CAAC,YAAY;QAAE,OAAO,SAAS,CAAC;IAEpC,MAAM,OAAO,GAAG,gBAAgB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpE,IAAI,CAAC,KAAK,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAC9B,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,GAAG,IAAI;YAAE,OAAO,KAAK,CAAC;QAC/C,IAAI,CAAC,KAAK,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAChC,IAAI,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YAAE,OAAO,KAAK,CAAC;QACnE,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,MAAM,EAAE,YAAY,CAAC;YAAE,OAAO,KAAK,CAAC;QAClE,IAAI,CAAC,0BAA0B,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED,oFAAoF;AACpF,MAAM,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAA8B;IACjF,OAAO,iBAAiB,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,SAAS,CAAC;AAC7D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAkB,EAAE,MAA8B;IACjF,MAAM,cAAc,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3D,MAAM,OAAO,GAAkB,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,wBAAwB,CAAC,KAAK,CAAC,IAAI,EAAE,cAAc,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChF,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1E,CAAC;AAED,SAAS,wBAAwB,CAAC,SAAiB,EAAE,cAAiC;IACpF,MAAM,aAAa,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzD,IAAI,aAAa,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACjE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9C,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,EAAE,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,cAAc,CAAC,EAAE,CAAC;YAAE,SAAS;QACjC,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,KAAK,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,0BAA0B,CAAC,IAAY;IAC9C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,4BAA4B,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACrD,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/D,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,EAAE;QAChC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACzC,OAAO,iDAAiD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,0BAA0B,CAAC,IAAY;IAC9C,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,CAAC,4BAA4B,CAAC,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,4BAA4B,CAAC,IAAY;IAChD,OAAO,YAAY,CAAC,IAAI,CAAC;SACtB,KAAK,CAAC,GAAG,CAAC;SACV,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAChB,IAAI,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAC3B,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5D,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACzC,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QACnD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACP,CAAC;AAED,4EAA4E;AAC5E,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAEjD,MAAM,UAAU,kBAAkB,CAAC,WAA+B,EAAE,YAAoB;IACtF,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,CAAC,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IACpC,IAAI,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,MAAM,CAAC,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,yEAAyE;IACzE,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAC7C,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAe,EAAE,KAAkB;IACpE,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,SAAS,CAAC;IACzF,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC;IACjD,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,OAAO,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3E,CAAC"}

package/dist/concept-rules/index.d.ts

@@ -5,7 +5,7 @@
  * Language-agnostic by design.
  */
 import type { ConceptMap } from '@kernlang/core';
-import type { ReviewFinding } from '../types.js';
+import type { ReviewConfig, ReviewFinding } from '../types.js';
 export interface ConceptRuleContext {
     concepts: ConceptMap;
     filePath: string;
@@ -13,7 +13,9 @@ export interface ConceptRuleContext {
     allConcepts?: Map<string, ConceptMap>;
     /** Resolved import graph — filePath → imported file paths */
     graphImports?: Map<string, string[]>;
+    /** Cross-stack precision mode. Defaults to guard. */
+    crossStackMode?: 'guard' | 'audit';
 }
 export type ConceptRule = (ctx: ConceptRuleContext) => ReviewFinding[];
 export declare const conceptRules: ConceptRule[];
-export declare function runConceptRules(concepts: ConceptMap, filePath: string, allConcepts?: Map<string, ConceptMap>, graphImports?: Map<string, string[]>): ReviewFinding[];
+export declare function runConceptRules(concepts: ConceptMap, filePath: string, allConcepts?: Map<string, ConceptMap>, graphImports?: Map<string, string[]>, config?: Pick<ReviewConfig, 'crossStackMode'>): ReviewFinding[];

package/dist/concept-rules/index.js

@@ -5,43 +5,93 @@
  * Language-agnostic by design.
  */
 import { authDrift } from './auth-drift.js';
+import { authPropagationDrift } from './auth-propagation-drift.js';
+import { bodyShapeDrift } from './body-shape-drift.js';
 import { boundaryMutation } from './boundary-mutation.js';
 import { contractDrift } from './contract-drift.js';
 import { contractMethodDrift } from './contract-method-drift.js';
 import { duplicateRoute } from './duplicate-route.js';
 import { ignoredError } from './ignored-error.js';
 import { missingResponseModel } from './missing-response-model.js';
+import { mutationWithoutIdempotency } from './mutation-without-idempotency.js';
 import { orphanRoute } from './orphan-route.js';
 import { paramNameSwap } from './param-name-swap.js';
+import { requestValidationDrift } from './request-validation-drift.js';
 import { syncHandlerDoesIo } from './sync-handler-does-io.js';
 import { taintedAcrossWire } from './tainted-across-wire.js';
+import { unboundedCollectionQuery } from './unbounded-collection-query.js';
 import { unguardedEffect } from './unguarded-effect.js';
+import { unhandledApiErrorShape } from './unhandled-api-error-shape.js';
 import { unrecoveredEffect } from './unrecovered-effect.js';
 import { untypedApiResponse } from './untyped-api-response.js';
 import { untypedBothEndsResponse } from './untyped-both-ends-response.js';
 export const conceptRules = [
     authDrift,
+    authPropagationDrift,
+    bodyShapeDrift,
     boundaryMutation,
     contractDrift,
     contractMethodDrift,
     duplicateRoute,
     ignoredError,
     missingResponseModel,
+    mutationWithoutIdempotency,
     orphanRoute,
     paramNameSwap,
+    requestValidationDrift,
     syncHandlerDoesIo,
     taintedAcrossWire,
+    unboundedCollectionQuery,
     unguardedEffect,
+    unhandledApiErrorShape,
     unrecoveredEffect,
     untypedApiResponse,
     untypedBothEndsResponse,
 ];
-export function runConceptRules(concepts, filePath, allConcepts, graphImports) {
-    const ctx = { concepts, filePath, allConcepts, graphImports };
+export function runConceptRules(concepts, filePath, allConcepts, graphImports, config) {
+    const ctx = {
+        concepts,
+        filePath,
+        allConcepts,
+        graphImports,
+        crossStackMode: config?.crossStackMode,
+    };
     const findings = [];
     for (const rule of conceptRules) {
         findings.push(...rule(ctx));
     }
-    return findings;
+    if (ctx.crossStackMode === 'audit')
+        return findings;
+    return suppressOverlappingNewRuleFindings(findings);
+}
+const NEW_RULE_OWNERS = {
+    'auth-propagation-drift': ['auth-drift'],
+    'unhandled-api-error-shape': ['auth-drift', 'contract-drift', 'contract-method-drift'],
+    'unbounded-collection-query': ['contract-drift', 'contract-method-drift'],
+    'request-validation-drift': ['body-shape-drift', 'contract-drift', 'contract-method-drift'],
+};
+function suppressOverlappingNewRuleFindings(findings) {
+    const ownerSpans = new Map();
+    for (const finding of findings) {
+        const spanKey = findingSpanKey(finding);
+        for (const owners of Object.values(NEW_RULE_OWNERS)) {
+            if (!owners.includes(finding.ruleId))
+                continue;
+            const existing = ownerSpans.get(finding.ruleId) ?? new Set();
+            existing.add(spanKey);
+            ownerSpans.set(finding.ruleId, existing);
+        }
+    }
+    return findings.filter((finding) => {
+        const owners = NEW_RULE_OWNERS[finding.ruleId];
+        if (!owners)
+            return true;
+        const spanKey = findingSpanKey(finding);
+        return !owners.some((owner) => ownerSpans.get(owner)?.has(spanKey));
+    });
+}
+function findingSpanKey(finding) {
+    const span = finding.primarySpan;
+    return `${span.file}:${span.startLine}:${span.startCol}`;
 }
 //# sourceMappingURL=index.js.map

package/dist/concept-rules/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/concept-rules/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAa1E,MAAM,CAAC,MAAM,YAAY,GAAkB;IACzC,SAAS;IACT,gBAAgB;IAChB,aAAa;IACb,mBAAmB;IACnB,cAAc;IACd,YAAY;IACZ,oBAAoB;IACpB,WAAW;IACX,aAAa;IACb,iBAAiB;IACjB,iBAAiB;IACjB,eAAe;IACf,iBAAiB;IACjB,kBAAkB;IAClB,uBAAuB;CACxB,CAAC;AAEF,MAAM,UAAU,eAAe,CAC7B,QAAoB,EACpB,QAAgB,EAChB,WAAqC,EACrC,YAAoC;IAEpC,MAAM,GAAG,GAAuB,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;IAClF,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/concept-rules/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAC/E,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AACvE,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAe1E,MAAM,CAAC,MAAM,YAAY,GAAkB;IACzC,SAAS;IACT,oBAAoB;IACpB,cAAc;IACd,gBAAgB;IAChB,aAAa;IACb,mBAAmB;IACnB,cAAc;IACd,YAAY;IACZ,oBAAoB;IACpB,0BAA0B;IAC1B,WAAW;IACX,aAAa;IACb,sBAAsB;IACtB,iBAAiB;IACjB,iBAAiB;IACjB,wBAAwB;IACxB,eAAe;IACf,sBAAsB;IACtB,iBAAiB;IACjB,kBAAkB;IAClB,uBAAuB;CACxB,CAAC;AAEF,MAAM,UAAU,eAAe,CAC7B,QAAoB,EACpB,QAAgB,EAChB,WAAqC,EACrC,YAAoC,EACpC,MAA6C;IAE7C,MAAM,GAAG,GAAuB;QAC9B,QAAQ;QACR,QAAQ;QACR,WAAW;QACX,YAAY;QACZ,cAAc,EAAE,MAAM,EAAE,cAAc;KACvC,CAAC;IACF,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,IAAI,GAAG,CAAC,cAAc,KAAK,OAAO;QAAE,OAAO,QAAQ,CAAC;IACpD,OAAO,kCAAkC,CAAC,QAAQ,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,eAAe,GAAsC;IACzD,wBAAwB,EAAE,CAAC,YAAY,CAAC;IACxC,2BAA2B,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,uBAAuB,CAAC;IACtF,4BAA4B,EAAE,CAAC,gBAAgB,EAAE,uBAAuB,CAAC;IACzE,0BAA0B,EAAE,CAAC,kBAAkB,EAAE,gBAAgB,EAAE,uBAAuB,CAAC;CAC5F,CAAC;AAEF,SAAS,kCAAkC,CAAC,QAAkC;IAC5E,MAAM,UAAU,GAAG,IAAI,GAAG,EAAuB,CAAC;IAClD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QACxC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;gBAAE,SAAS;YAC/C,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;YACrE,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACtB,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QACxC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,OAAsB;IAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,CAAC;IACjC,OAAO,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;AAC3D,CAAC"}

package/dist/concept-rules/mutation-without-idempotency.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Rule: mutation-without-idempotency
+ *
+ * Backend rule — fires on mutating HTTP routes that perform a DB write without
+ * visible idempotency, transaction, unique/upsert, or duplicate-protection
+ * evidence.
+ */
+import type { ReviewFinding } from '../types.js';
+import type { ConceptRuleContext } from './index.js';
+export declare function mutationWithoutIdempotency(ctx: ConceptRuleContext): ReviewFinding[];